Con f igure cross-account deployment using CDK Takuya Hashimoto / @hassaku_63 CDK Day 2023 29th September 2023

Speaker Developer, IT system admin X(Twitter): @hassaku_63 GitHub: hassaku63 SpeakerDeck: hassaku63 Takuya Hashimoto (Serverworks Co., Ltd.) Serverworks is; System Integrator & AWS Premier Tier Service Partner (since 2014) 1st Japanese Company to acquire MSP Competency in AWS Partner Network (APN)

Contents 1. Overview of the “CDK Security and Safety Dev Guide” 2. What “cdk bootstrap” command actually doing 3. Con f igure cross-account deployment for CDK project This is my f irst time outputting in English. I'm looking forward to discussing with all of you today, but I apologize if my English is hard to understand.

Goal The architecture we are assuming for this session Actor (pipeline account) Target account(s) Trigger on push cdk deploy

Overview of the “CDK Security and Safety Dev Guide”

(QUESTION) What should CDK beginner to learn after going through the tutorial?

Fundamental documents about CDK https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide 1. CDK Concepts 2. Security And Safety Dev Guide https://docs.aws.amazon.com/cdk/v2/guide/core_concepts.html

CDK deployments and IAM permission #Controlling the permissions used by CDK deployments [2] DefaultStackSynthesizer CDK’s default approach Fewer permissions are required for the principal who is initiating CDK deployment action than [1] [1] CliCredentialsStackSynthesizer Simple deployment pattern Do not use AssumeRole for deployment

Permissions and Roles in DefaultStackSynthesizer

Permissions and Roles in DefaultStackSynthesizer The principal who starts CDK Deployment action (It invokes cfn ExecuteChangeSet or Deploy API internally)

Permissions and Roles in DefaultStackSynthesizer IAM Roles and Permissions actually used during CDK deployment

Permissions and Roles in DefaultStackSynthesizer “Assets” publishing (Container images) “Assets” publishing (static f iles like such as Lambda function’s packages)

Permissions and Roles in DefaultStackSynthesizer Executes cfn deployment

Permissions and Roles in DefaultStackSynthesizer Executes cfn deployment IAM Role for Invoke cfn deploy API IAM Role for used when constructs resources

Permissions and Roles in DefaultStackSynthesizer AssumeRole permission are required for the principal (do not need other)

Permissions and Roles in DefaultStackSynthesizer Account for starting deployment action Deployment target account(s) (1) CDK’s default approach makes it easier to migrate to cross-account architecture because deployment are based on AssumeRole & PassRole (2) These resources (in orange box) are constructed ”cdk bootstrap” (3) Need to con f igure IAM Roles to “trust” the principals in another account if con f igure cross-account deployment (by execute “cdk bootstrap” command)

What “cdk bootstrap” command actually doing

CDK bootstrap (revision) Deploy a cfn stack which is called “bootstrap stack” CDK Developer Guide - Concepts; Bootstraping https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

CDK bootstrap $ cdk bootstrap —show-template > bootstrap-template.yml De f ined resources are; (only covering those relevant to my talk theme) Allow AssumeRole to AWS Account principal if “TrustedAccouts” given IAM Role resource de f ined in bootstrap template 1. S3 Bucket for storing f ile assets 2. ECR Repository for upload container assets 3. IAM Role for Upload f ile assets 4. IAM Role for push container assets 5. IAM Role for lookup resources

Con f igure cross-account deployment for CDK project

Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example 1. bootstrap on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push) Pipeline account Target account(s)

Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example Pipeline account Target account(s) 1. bootstrap on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push)

Con f iguration for cross-account deployment Bootstrap on target account with “trust” option Execute on the all target accounts $ npx cdk bootstrap \ —trust “” \ —cloudformation-execution-policies \ ‘arn:aws:iam::aws:policy/AdministratorAccess’ Pipeline account Target account(s)

Con f iguration for cross-account deployment Con f igure service role for CodeBuild Allow AssumeRole action to the Roles that are constructed by bootstrap Pipeline account Target account(s)

Conclusion

Conclusion Learn about … 1. What resources are constructed by “cdk bootstrap” command 2. Use “trust” option with bootstrap command to con f igure cross-account deployment 3. Allow the actor that starts deployment (such as CodeBuild Project) to execute 
 the AssumeRole action to the Roles that are constructed by bootstrap

Slide Published on https://speakerdeck.com/hassaku63